-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NT4 will apply the most > restrictive rights it can, so if you have a user Joe Blow, > that is an admin and part of the local admin group(least > restrictive), but he is also part of the Domain Users (more > restrictive), he will only have the rights available to the > Domain User, not the local admin account.
It all depends on what you need to do. In one instance you are right. But if you are refering to different groups on the same domain then the oposite is true. Least restrictive takes precedence. The best thing to do from an administrative perspective is to not allow any local accounts but enforce all logins to be authenticated through a domain controller. Through group policies or not allowing the creation of local accounts. > A simpler explanation could be that they are only members of > the local admin group on the NT4 box and not the Domain > Admins, or your 2K domain is not properly talking to the NT4 > domain. - From what I understood of the original post there is no W2K domain just workstations with NT4 servers but you are right there are definitely differences in the way NT4 and W2K servers handle permissions. Local admin group only applies to the server itself whereas Domain admins are able to remotely administrate the server and automatically are in the local admin group on all W2K workstations > Remember too, that Win 2K has AD services and these are not > backwards compatible with 4.0, so it could be a setup that is > incompatible. Active directory only applies if you have a W2K server and maybe even so only if it is a native W2K server environment that means no NT4 or other kinds of servers. Raoul Armfield Support Specialist IT-Call Center Mailto:[EMAIL PROTECTED] American Museum of Natural History Central Park West at 79th Street New York, New York 10024-5192 (212) 313-7258 > -----Original Message----- > From: Robert Clark [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, January 08, 2002 12:45 PM > To: 'David Giacchetta'; [EMAIL PROTECTED] > Subject: RE: W2K Domain Selection > > > A caveat, I am not intimately familiar with Win 2K, only > passingly. That having been said, here is a long winded > possibility: > > It may have to do with the actual login privileges on the NT4 > domain. Remember (at least with nt4) you have a local login > with privileges, and a remote login with privileges. The > remote login will by default receive the least amount of > privileges. You may want to look at your user account and see > if he/she belongs to more than one group (Domain and/or > Local). An easy way to remember NT4 access rights is > least-least-most. Least being the least restrictive, Most > being the Most restrictive. > > A simpler explanation could be that they are only members of > the local admin group on the NT4 box and not the Domain > Admins, or your 2K domain is not properly talking to the NT4 > domain. > > Remember too, that Win 2K has AD services and these are not > backwards compatible with 4.0, so it could be a setup that is > incompatible. > > Just my $0.02, Anyone feel free to correct anything I have > stated here and PLEASE don't flame me if I am off the mark > here...I am rusty at > this...:) > > > > -----Original Message----- > > From: David Giacchetta [mailto:[EMAIL PROTECTED]] > > Sent: Monday, January 07, 2002 8:05 AM > > To: [EMAIL PROTECTED] > > Subject: W2K Domain Selection > > > > > > Hi Folks > > > > I �ve seven domains in my wan, and also workstations are w2k, > > the big question is this, WHY?? when i selected the local > > domain in the workstation, example.. (the domain of the > > machine), in the login,,,, ALL the Rights works better, but > > if i selected another domain, ex... a domain NT4 Server, the > > user don�t get all yours right... If a user have a > > Administrator Right when are login in a local domain, but > > when it login over a NT4 domain this user have a simple > > right......????? Of course, the right over de network works > > good... the problem is in the machine.... > > > > Sincurely Yours > > > > Luciano > > > > > > > > > > > > > > _________________________________________________________ > > > > Do You Yahoo!? > > > > Get your free @yahoo.com address at http://mail.yahoo.com > > > > > > > > > > > > > -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com> iQA/AwUBPDyQRYNpNUGLk0LaEQL7FACfdis+HEwePrP5RdtpkbOPGm8WI2QAn23I FD+A3Aj1VLuvPxasUmYVXNlz =v0E0 -----END PGP SIGNATURE-----
